The California Privacy Protection Agency (CPPA or Agency) published 66 pages of proposed draft regulations (Draft Regulations) that govern the California Privacy Rights Act (CPRA) as a special treat on Friday, May 27 for some light Memorial Day weekend reading. In case you found yourself, like many, with other activities to occupy your holiday, this alert outlines several key observations from the Draft Regulations.
We expect the Draft Regulations to change (and hopefully soften) to some extent as the rulemaking process and public comment period commences. However, if your business is subject to the California Consumer Privacy Act (and will be subject to the CPRA), given the significant time and attention that will likely be needed to operationalize the current requirements, take action now to evaluate gaps in compliance. Do not be caught off guard and rushed to meet the year-end deadline for compliance.
Opt-Out Signals Must be Honored
- The Draft Regulations propose mandatory honoring of web-based opt-out preference signals. The text of the CPRA presents honoring an opt-out preference signal as an option businesses might consider as a compliance mechanism, but not as a mandated avenue businesses must offer to consumers to exercise opt-out rights. The CPPA did not expressly state which signals need to be accepted.
- Additional debate on this point is expected throughout formal rulemaking, given the technical difficulties of identifying, tracking, and honoring such signals in the manner proposed by the Draft Regulations.
- Of note, if businesses respond to opt-out preference signals in the prescribed manner, they may be exempt from displaying “Do Not Sell or Share My Personal Information” and “Limit Use of My Sensitive Information” going forward.
Contractors, Service Providers, and Third Parties (Oh My!)
- Distinctions introduced in the statutory text of the CPRA already trigger additional review of a business’ contractors, service providers, and third parties that may interact with a consumer’s personal information on a business’ behalf (collectively referred to in this alert as Vendors). The Draft Regulations introduce new obligations on businesses and Vendors that, if adopted without change, may substantially disrupt existing commercial relationships and operations and require significant investment in new compliance technologies and processes. For example, within its privacy policy, businesses would be required to list the names of all third parties that they allow to collect personal information from the consumer, including the names of all third parties who set cookies on a business’ website.
- The Draft Regulations explicitly call on businesses and their Vendors not only to cascade consumer requests (e.g., deletion, know, and correction) to their service providers and contractors but also to fully cooperate in consumer request fulfillment and specific identification of any fulfillment exception (including exceptions at the sub-processor level). Compliance with these flow-down requirements, if enacted as drafted, will likely result in significant operational, risk management and technical burden.
- The Draft Regulations call out failure to audit or otherwise test Vendor compliance as a potential bar to certain violation defenses.
Dark Patterns Illuminated?
- The Draft Regulations attempt to demystify what constitutes a dark pattern. When evaluating consumer choice and consent, businesses must present and execute consumer options in a manner that complies with the following:
- Easy to understand: No legal mumbo jumbo or overly technical language.
- Symmetry in choice: Can’t present choices where one option executes the consumer’s choice, and the other operates as click-bait through a series of additional consumer “choices.”
- No confusing elements: Don’t use double-negatives in presenting choices and avoid using/ placing toggles or visual elements in a confusing manner.
- No manipulative language or choice structure: Don’t attempt to guilt or shame a consumer into making a certain choice or offering a consent. For example, if offering a financial incentive, don’t present consumers with a choice of “Yes – I love discounts!” or “No – I hate money.”
- Easy execution: Don’t add unnecessary burdens or “frictions” (as defined in the Draft Regulations) to the processes by which consumers exercise their choices. Notably, the “friction” concept forbids merely hyperlinking to a privacy policy for certain specific rights and/or notices. Where applicable, the link must take the consumer exactly to the mechanism or portion of the privacy policy (notice) related to the right.
- If a business violates ANY of the above, the Draft Regulations treat such action (or inaction) as a de facto dark pattern.
Audits…Because We Said So
- The Draft Regulations vest robust (and discretionary) audit rights with the Agency. The Agency may audit a business (WITH OR WITHOUT NOTICE):
- To investigate possible violations.
- Because the business has a history of noncompliance with CCPA or any other privacy protection law.
- Because the Agency feels like it (because the business’s collection or processing of personal information, in the Agency’s opinion, “presents significant risk to consumer privacy or security”).
Key Dates
- June 8, 2022: CPPA Board Meeting
- January 1, 2023: CPRA Effective Date
- Cure period for CCPA violations sunsets.
- Broad exemption of employee/employment context data expires.
- July 1, 2023: CPRA Enforcement Commences
Our team will continue to monitor as the CPPA issues additional draft regulations and formal rulemaking commences. Please click here to subscribe to additional alerts.